Managing passwords

ABSTRACT

A method is used in managing passwords. A proposed new password is received. The proposed new password is associated with contextual information indicating a context in which the proposed password is to be used. A machine learning model is dynamically selected from a set of machine learning models based on the contextual information. A quality metric is derived from the proposed new password based on the selected machine learning model.

RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.16/176,223, filed on Oct. 31, 2018.

FIELD OF THE INVENTION

This application relates to managing passwords.

BACKGROUND

The rush of cloud adoption and the explosion in mobile device usage haveleft organizations with information scattered across resources andapplications, both inside and outside the traditional perimeter. Each ofthese applications and information sources requires unique access,creating “islands of identity” that become increasingly complex tomanage—while making it more difficult for users to quickly andconveniently access what they need to do their jobs. As users travelfrom application to application (or island to island), they mustremember multiple credentials, including usernames and passwords, whilegrappling with varying access policies and processes.

In many cases, a company could use multiple approaches to securing itsislands of identity—perhaps a VPN, PAM, internal web portal and multipleSaaS vendors. Each resource is working to protect access to its assignedarea, but the company as a whole lacks centralized visibility, aconvenient user experience, and a consistent approach to authenticationpolicies and procedures.

For IT security and operations teams, these daily realities complicatethe authentication and identity process:

The VPN gauntlet. As more and more data moves to the cloud, IT defaultsto what it knows, requiring everyone to access cloud apps through theVPN. This introduces a complex user experience, duplicatesauthentication processes and forfeits the benefits of always-on mobilecloud access.

The Fort Knox paradox. Information Technologist's historic approach hasbeen to implement the strongest form of authentication available, allthe time. In a perimeter-less world, you need the flexibility to applyintelligent, appropriate control, without frustrating users ordisrupting business continuity.

Mob rule. Users demand access to an ever-widening array of applications,via a similarly expanding range of mobile devices. Increasinglydistributed workforces drive toward two seemingly competing objectives:convenient access for users and secured access for IT.

Balancing the needs of the company or enterprise to limit access to itsmost valuable information against those of users who want convenientaccess to enterprise data is an ongoing challenge. Even today, mostenterprises use password rules such as length requirements combined withcharacter mandates. There is thus a need to enhance security inadministering password authentication policies.

SUMMARY

A method is used in managing passwords. A proposed new password isreceived. The proposed new password is associated with contextualinformation indicating a context in which the proposed password is to beused. A machine learning model is dynamically selected from a set ofmachine learning models based on the contextual information. A qualitymetric is derived from the proposed new password based on the selectedmachine learning model.

BRIEF DESCRIPTION OF THE DRAWINGS

Objects, features, and advantages of embodiments disclosed herein may bebetter understood by referring to the following description inconjunction with the accompanying drawings. The drawings are not meantto limit the scope of the claims included herewith. For clarity, notevery element may be labeled in every figure. The drawings are notnecessarily to scale, emphasis instead being placed upon illustratingembodiments, principles, and concepts. Thus, features and advantages ofthe present disclosure will become more apparent from the followingdetailed description of exemplary embodiments thereof taken inconjunction with the accompanying drawings in which:

FIG. 1 depicts an architectural overview of a system according toembodiments herein.

FIG. 2 depicts a table showing exemplary enterprise contexts for acorporation according to embodiments.

FIG. 3 depicts a flow chart showing steps of method embodimentsdisclosed herein.

DETAILED DESCRIPTION

Described below is a technique for use in managing passwords, whichtechnique may be used to provide, among other things, receiving aproposed new password, the proposed new password being associated withcontextual information indicating a context in which the proposedpassword is to be used, based on the contextual information, dynamicallyselecting a machine learning model from a set of machine learningmodels, and based on the selected machine learning model, deriving aquality metric from the proposed new password.

Illustrative embodiments may be described herein with reference toexemplary cloud infrastructure, data centers, data processing systems,computing systems, data storage systems and associated servers,computers, storage units and devices and other processing devices. It isto be appreciated, however, that embodiments of the invention are notrestricted to use with the particular illustrative system and deviceconfigurations shown. Moreover, the phrases “machine learning system”and “password quality measurement system” and the like as used hereinare intended to be broadly construed, so as to encompass, for example,systems deployed on or in private or public cloud computing, private orpublic networks, private or public data storage systems, or any otherelectronic device protected by password authentication.

Similarly, the term “enterprise” is to be construed broadly to include,without limitation, an organization, a network, a group, an affiliation,a team, a league, humans organized by one or common attributes, machinesorganized by one or more common attributes, and the like. The term“password” is to be construed broadly so as to encompass, withoutlimitation, any combination of information, for example, whether text,photographic, audio, optical, biometric, and the like, used to grant ordeny access to something tangible, such as without limitation, anetwork, data, a public or private cloud, a physical location, a virtuallocation, a web browser, an API, a portal, an enterprise cloud, and thelike.

A given embodiment may more generally comprise any arrangement of one ormore devices.

As used herein, the following terms and phrases have the followingillustrative meanings: “application” generally refers to one or moresoftware programs designed to perform one or more functions; “metadata”generally refers to data that describes or defines other data;“enterprise cloud” generally refers to a computing environment residingbehind a firewall that delivers software, infrastructure, and platformservices to an enterprise.

In recent years, techniques using statistics and machine learning haveemerged for assessing user password quality, also known as passwordstrength. These techniques compute a “guessability” score by comparing auser's password to a known set of bad or breached passwords. The scoreis used to guide users towards picking passwords that are not similar toknown bad or breached passwords. Even though such techniques are betterthan simply using password rules (e.g. password must be of a certainlength and contain certain character combinations) that reduce theprobability of user account compromise, such conventional techniquesonly operate on training sets containing globally known bad or breachedpasswords.

Generally, user passwords are, often associated with context in whichthey are used. For instance, a user who works at Dell EMC might choosehis or her password to be “DellEMC1975!” or a user using Salesforcemight choose a password like “Sales4rce!”. These passwords aren'tostensibly bad until one considers the context in which they're used.Attackers that are attempting to comprise security of an enterprise areoften aware of this context and such attackers can alter their passwordattacks based on their target of compromise. Conventionally, suchcontext specific information associated with a password is not takeninto account when evaluating quality of a password.

By contrast, in at least some implementations in accordance with thetechnique as described herein, one or more machine learning models basedon contextual information are used when authenticating a password. Atthe time of a user authentication, a machine learning model is selecteddynamically based on contextual information and such selected machinelearning model is used for generating a password score indicatingquality of the password. Such password score is then used by anauthentication system to determine whether it is okay to accept thepassword.

In at least some implementations in accordance with the currenttechnique as described herein, the use of the managing passwordstechnique can provide one or more of the following advantages: improvingauthentication of passwords, efficient evaluation of quality ofpasswords, and generating passwords that are more resilient tocompromise by attackers.

FIG. 1 depicts a password quality measurement system 100 that is used inembodiments herein. The password quality measurement system 100 is usedwhen a user seeks to initially establish a password, reset a password,or use a password. In current embodiments, rather than relying onhistorical or static information in isolation, such as prior breachedpasswords or minimum character strings required for passwords, thesystems, methods, and products taught herein uses dynamically createdcontext-specific information relevant to a particular enterprise.

In this way, password strength is improved because the vulnerability ofcontext-specific passwords is taken into consideration when determiningif a new password is sufficiently strong to be approved. Of course, inembodiments, an administrator optionally may chose to configure aminimum password strength threshold in order for a new password to beacceptable. In these embodiments, heightened security requirements,which are data dependent, are implemented. The greater the desire toprotect access to the data, the higher the setting will be for thepassword security threshold.

In at least one embodiment, contexts are defined at the enterpriselevel. However, in other embodiments, contexts may also be defined at auser level or based on applications used by the user. Contexts are alsoestablished by using attributes related to the enterprise. In someembodiments, these contexts are static. In other embodiments, theyfluctuate over time. Some examples, without limitation, of contextualinfromation are: organization, division, location, department,applications with unique logins, user types, product names, anapplication to which a user seeks access, a service to which a userseeks access, and the like. Thus, contextual information can beassociated with a user of any information associated with authenticationaction. Each context corresponds to a set of passwords users within thatcontext are likely to use. Additionally, the breadth of contexts spreadsbeyond the specific attributes themselves in some embodiments. Anenterprises may choose to establish a single context or multiplecontexts.

FIG. 2 is illustrative. In this example, we use Dell as an enterprisecomprising of four strategic business units, Dell EMC, VMWare, Pivotal,and RSA. Users from each of these strategic business units, as anexample, is located in North America, South America, Europe, and Asia.In this example, we omit application, assuming that single-sign-on hasbeen implemented across all applications users use at Dell, andtherefore, there is only one login that users use. Taking the user'sdivision and location into account in this example, we end up with a setof contexts containing, for example, 16 different contexts, as shown inFIG. 2. The contextual relationships and information in embodiments areenhanced by increasing the breadth of each context. One way this is doneis by adding terms relevant to that particular context, which theenterprise wants to dissuade users from within that context from usingin their passwords. For instance, the context “RSA-South America”includes RSA-specific terms such as “RSA”, “SecurId”, “Netwitness”,“Archer” and terms that might crop up frequently in South America like“Messi” or “Ronaldo.” This information forms the basis of a machinelearning model used for a user from RSA who is located in South America.

Referring to FIG. 1, we show a process for developing machine learningmodels 113 based on these contexts. The machine learning models 113 canbe contextual only or contextual combined with universal training data114, which in some embodiments includes a set of vulnerable passwords.In the illustrative example using Dell as an enterprise, the number ofcontexts, N, is 16. For example, RSA-South America is context 1 122,Dell EMC-South America is context 2, 124 and Pivotal-North America iscontext N 126. In this situation, machine learning algorithms populatethe respective password training sets 132, 134, 136 for each of thesecontexts. Machine learning system 116 could be a processor, a specialpurpose ASIC, or similar device running machine learning algorithmsknown to those of skill in the art.

In some embodiments, one or more password training sets 132, 134, 136,are constructed from contextual information only. In alternateembodiments, one or more password training sets 132, 134, 136 areconstructed from contextual information and universal training data 114.

Those of skill in the art will recognize that context information maychange over time. The machine learning algorithms used to generate theset of models 118 (also referred to herein as “machine learning models”)are designed to accommodate these fluctuations or changes in contextualinformation. For example, if one year the Olympics were being hosted inSouth America, the divisions located in South America, may add the term“Olympics” to the list of password terms to be avoided within themachine learning model.

In some embodiments password security is enhanced by combiningcontextual information with a universal training set of vulnerablepasswords. Vulnerable passwords are passwords that are known to be bad,regardless of the user's context. Those of skill in the art recognizethat vulnerable passwords are publicly available on the dark web, forexample, or in databases such as those administered by the company knownas 1password.

Combining the contextual information with vulnerable passwords containedin universal training data 114 is done in a variety of ways. One exampleis to associate a weight to each vulnerable password. The weight is usedas part of the cost function that is computed as part of trainingmachine learning models. Vulnerable terms within a context are given alarge weight relative to terms in the universal training set to ensurethat contextual terms are fairly represented in the final trained model.

In our example, as illustrated in FIG. 2, 16 different training sets aregenerated after combining each of the 16 contexts with the universaltraining set. The machine learning system then trains separate modelsfor each training set, producing 16 different models. It should be notedthat, “a machine learning system”, for example, may signify any processthat takes a set of passwords as an input and produces a model that canbe used to compute a password “guessability” score when the model isprovided an input password for evaluation.

Referring to FIG. 1 and FIG. 3, shown is a flow diagram illustratingmanaging passwords. In at least one embodiment of the current technique,the user authentication flow consists of a client process 102 and aserver process 104. The client process 102 is a component runninglocally on the user's device that carries out the authentication processon behalf of the user. This could be, for example and withoutlimitation, an application running in a web browser on a user's laptop,a mobile app on the user's phone, or an operating system. The serverprocess 104 handles server-side authentication functions, often residingon one or more remote hosts over the network. Note that the word“process” is a logical term and does not imply a single operating systemprocess.

Let's suppose a user is setting or resetting his or her password. Theuser enters his or her proposed new password into an end-userapplication or into an API or other similar interface for a service. Theclient process 102 submits the proposed new password, along withrelevant contextual information such as contextual metadata, to the UserAuthentication 106 module of the server process 104. In this way, theServer Process receives 310 the proposed new password as well ascontextual information indicating a context in which the proposedpassword is to be used. The User Authentication Module 106 gatherscontextual metadata related to the user, the user's organization orenterprise, an application or service to which the user seeks access,and optionally additional contextual metadata from other backend systems(not shown in the diagram above) to establish a full context.

The context and the proposed new password are sent to a Password Scorermodule 108, which also includes a Selector 110 and a Predictor 112.Based on the contextual information, the Selector 110 dynamicallyselects 312 a machine learning model 142, 144, or 146 from a set ofmachine learning models 118. The Selector 110 provides the chosenmachine learning model 142, 144, or 146 to the Predictor 112. Based onthe selected machine learning model, the Predictor 112 derives apassword score for the proposed new password.

In some embodiments, the predictor 112 generates a “guessability” orstrength score, which is used to determine 314 if the proposed newpassword is acceptable. Once the server process 104 has determinedwhether the proposed new password is sufficiently secure, the serverprocess 104 notifies the client process 102 of the acceptance orrejection of the proposed new password.

In alternate embodiments, processes depicted on the server process 104,such as the authentication module 106 or the password scorer module 108or both are performed at the client 102. Likewise, it is entirelypossible for trained machine learning models 113 to run completelyclient-side 102 on the end user's device. In a “hybrid” embodiment, workis shared evenly between the client 102 and server 104. For instance,the model 142, 144 or 146 can be chosen dynamically by the serverprocess 104, and the chosen model 142, 144, or 146 could be evaluated atthe client 102.

Another variation on the above embodiments involves dynamicallygenerating machine learning models. The universal training set 114 canchange, for instance, if a new data breach comes to light. In theseembodiments, contextual training data is updated by enterpriseadministrators or automated systems. As training sets or contextschange, new models 118 can be generated offline.

The embodiments above do not presuppose where the server process ormachine learning components reside. They could be hosted on premisewithin the purview of an enterprise or hosted as a service by a trustedthird party.

Further, it should be noted that, techniques described herein can beemployed when a new password is selected by a user in some embodimentsand in other embodiments, such techniques can be employed each time auser uses his/her password during an authentication action.

Throughout the entirety of the present disclosure, use of the articles“a” or “an” to modify a noun may be understood to be used forconvenience and to include one, or more than one of the modified noun,unless otherwise specifically stated.

Elements, components, modules, and/or parts thereof that are describedand/or otherwise portrayed through the figures to communicate with, beassociated with, and/or be based on, something else, may be understoodto so communicate, be associated with, and or be based on in a directand/or indirect manner, unless otherwise stipulated herein.

Various changes and modifications of the embodiments shown in thedrawings and described in the specification may be made within thespirit and scope of the present invention. Accordingly, it is intendedthat all matter contained in the above description and shown in theaccompanying drawings be interpreted in an illustrative and not in alimiting sense. The invention is limited only as defined in thefollowing claims and the equivalents thereto.

What is claimed is:
 1. A computer program product comprising anon-transitory processor-readable storage medium having stored thereinprogram code of one or more software programs, wherein the program codewhen executed by at least one processing device causes the at least oneprocessing device to perform steps of: receiving a proposed newpassword, the proposed new password being associated with contextualinformation indicating a context in which the proposed password is to beused; based on the contextual information, dynamically selecting amachine learning model from a set of machine learning models; and basedon the selected machine learning model, deriving a quality metric fromthe proposed new password.
 2. The computer product of claim 1, furthercomprising: based on the quality metric, determining whether to approvethe proposed new password.
 3. The computer product of claim 1, whereinthe quality metric includes a password score.
 4. The computer product ofclaim 1, further comprising: establishing a set of contexts based oncontextual information, each context of the set of contexts beingassociated with a set of passwords likely to be used by a user withinthe respective context, wherein the contextual information includes oneor more of organizational information, user information, an applicationto which the user seeks access, or a service to which the user seeksaccess.
 5. The computer product of claim 4, further comprising:generating the set of machine learning models by associating eachcontext of the set of contexts with a respective password training setfor generating a respective machine learning model.
 6. The computerproduct of claim 5, wherein a password training set further comprises aplurality of vulnerable passwords.
 7. The computer product of claim 6,wherein generating a machine learning model further comprising:associating each vulnerable password of a password training set used forgenerating the machine learning model with a weight.
 8. The computerproduct of claim 7, wherein evaluating the quality metric of theproposed new password using the selected machine learning model includescomputing a password score for the proposed new password.
 9. Thecomputer product of claim 1, further comprising: providing the proposednew password and contextual metadata to a password scorer module fordynamically selecting the machine learning model and evaluating thequality metric of the proposed new password using the selected machinelearning model, wherein a user authentication module is furtherconfigured to determine whether to allow the user to establish theproposed new password based on the quality metric of the proposed newpassword.
 10. The computer product of claim 9, wherein the userauthentication module gathers additional contextual metadata andprovides the additional contextual metadata to the password scorermodule for evaluating the quality metric of the proposed new password.11. A system for managing passwords comprising a memory and a processorconfigured to: receive a proposed new password, the proposed newpassword being associated with contextual information indicating acontext in which the proposed password is to be used; based on thecontextual information, dynamically select a machine learning model froma set of machine learning models; and based on the selected machinelearning model, derive a quality metric from the proposed new password.12. The system of claim 11, further comprising: based on the qualitymetric, determining whether to approve the proposed new password. 13.The system of claim 11, wherein the quality metric includes a passwordscore.
 14. The system of claim of claim 11, the processor is furtherconfigured to: provide the proposed new password and contextual metadatato a password scorer module for dynamically selecting the machinelearning model and evaluating the quality metric of the proposed newpassword using the selected machine learning model, wherein a userauthentication module is further configured to determine whether toallow the user to establish the proposed new password based on thequality metric of the proposed new password.
 15. The system of claim 14,wherein the user authentication module gathers additional contextualmetadata and provides the additional contextual metadata to the passwordscorer module for evaluating the quality metric of the proposed newpassword.
 16. A method for use in managing passwords, the methodcomprising: receiving a proposed new password, the proposed new passwordbeing associated with contextual information indicating a context inwhich the proposed password is to be used; based on the contextualinformation, dynamically selecting a machine learning model from a setof machine learning models; and based on the selected machine learningmodel, deriving a quality metric from the proposed new password.
 17. Themethod of claim 16, further comprising: based on the quality metric,determining whether to approve the proposed new password.
 18. The methodof claim 16, wherein the quality metric includes a password score. 19.The method of claim 16, wherein the new password and the proposed newpassword is received from a user authentication module, furthercomprising: providing the new password and contextual metadata to apassword scorer module for dynamically selecting the machine learningmodel and evaluating the quality metric of the new password using theselected machine learning model, wherein the user authentication moduleis further configured to determine whether to allow the user toestablish the new password based on the quality metric of the newpassword.
 20. The method of claim 19, wherein the user authenticationmodule gathers additional contextual metadata and provides theadditional contextual metadata to the password scorer module forevaluating the quality metric of the new password.